While organizations may be struggling with how to protect their information assets in an integrated and strategic manner, attackers do not suffer from this angst. We are seeing the rise of hybrid threats in which viruses are used as launching points for initiatives that are designed to gather sensitive corporate data and/or execute identity theft.

For instance, spam is being used for phishing (an online con in which a "fake" site is set up to attract victims and solicit sensitive information from end-users), at which point spyware/malware or viruses are planted on consumer computers, while simultaneously gathering information that makes it easier to hack into the networks of the organizations they are spoofing.

As a result, we have seen attacks on enterprise networks become much more sophisticated and focused.

“This is why a tactical approach to security simply doesn’t cut it anymore... especially when the threat picture to digital assets in all enterprise environments has become so acute. Where once the hacker community may have been seen as kids playing games, today we see malicious activity that is profit driven in some cases, and guided by fanaticism in others,” notes Moshir.


A Strategic Response

A growing number of large organizations are recognizing the imperative for the IT community in general - and the information security community in particular - to move away from a tactical perspective of their role, and become a more strategic element in their organizations.

Thomson Financial Chief Information Security Officer (CISO) Tim Mathias explains, “In 2004, our technical operations organization adopted ITIL [the IT Infrastructure Library] to develop a long term strategy for providing IT services. We embraced an IT service management model that is a top-down, business-driven approach to the management of IT that specifically addresses the strategic business value generated by the IT organization and the need to deliver a high quality IT service. We immediately recognized that security management touches a number of the high level processes including infrastructure and application management, service delivery and service support. So we have integrated our security operations into this service management paradigm.”

According to PatchLink’s Moshir, an effective strategic response to these threats must consist of four basic elements. It must be: